Colegio ng Lungsod ng Batangas (CLB)

What Happened

On March 4, 2026, a threat actor operating under the handle 4rch4n63l, associated with a group called NullsecPhilippines, publicly posted on social media claiming to have obtained at least 600,000 lines of student personally identifiable information (PII) from Colegio ng Lungsod ng Batangas (CLB).

The threat actor alleged that the data was obtained from CLB's Admission and Registration Portals, citing "stupid security" and claiming that "the developer put the users file publicly including the profiles." The post included a threat to publicly leak the data if security issues were not resolved within one week.

What Was Allegedly Exposed

According to the threat actor's claims:

• Student personally identifiable information (PII)
• Student profiles from the registration portal
• Admission application data
• User files that were allegedly publicly accessible

Important note: These claims have not been independently verified. The actual scope and nature of the exposure may differ from what the threat actor claims.

Current Status

This incident is currently under investigation. Key questions that remain unanswered:

• Has CLB confirmed or denied the breach?
• Has the National Privacy Commission (NPC) been notified?
• Were the portals actually misconfigured as claimed?
• What is the actual number of affected records?
• Has the alleged vulnerability been remediated?

How This Type of Attack Works

Based on the threat actor's description, this appears to be a misconfiguration / data exposure incident rather than a sophisticated hack. The attacker claimed that user files and profiles were publicly accessible — suggesting that file directories or API endpoints on the admission and registration portals lacked proper authentication or access controls.

Common causes of this type of exposure include:

• Directory listing enabled on web servers, allowing anyone to browse uploaded files
• No authentication on file storage paths or API endpoints
• Predictable file URLs that allow enumeration of student documents
• Misconfigured cloud storage (e.g., public S3 buckets or Firebase Storage rules)

Recommended Actions for CLB

1. 1.Immediately audit all public-facing portals — check admission and registration systems for unauthorized access paths, open directories, and misconfigured APIs
2. 2.Disable public directory listing on all web servers
3. 3.Implement proper authentication on all endpoints that serve student data or files
4. 4.Engage a security professional to conduct a vulnerability assessment of all web-facing systems
5. 5.Notify the NPC within 72 hours if the breach is confirmed, as required by the Data Privacy Act
6. 6.Prepare parent and student notification in case the breach is verified
7. 7.Preserve logs and evidence for forensic analysis — do not wipe or rebuild servers until evidence is collected

Context

Colegio ng Lungsod ng Batangas (CLB) is a local college in Batangas City established in 2006, serving students primarily from the Batangas area. As a public educational institution handling thousands of student records including minors' data, CLB is subject to the Data Privacy Act of 2012 and NPC oversight.

This incident highlights the ongoing risk of misconfigured web portals in Philippine educational institutions — a pattern seen in multiple previous breaches tracked on this site, including the DepEd OVAP database exposure and various university portal breaches.